I’ve written previously about how Oxebridge uses the RegDOX portal to protect ITAR data during remote audits. But what does that mean, exactly? How does it work?
To recap, remote ISO 9001 or AS9100 audits require the auditor to examine records. But companies with ITAR, HIPAA, EAR, or any form of Controlled Unclassified Information (CUI) can’t simply start uploading their records to Dropbox, Google Meet, or Zoom since that exposes the data to foreign actors. (The servers run outside of the US.) Worse, you can’t send the files by email, because you have no idea what the auditor will do with them afterward, nor who sees them while in transit; remember, Google scans the content of all emails running through Gmail, for example, for advertising purposes.
Instead, clients must share their records and information in a controlled environment. That’s where RegDOX comes in.
So what does a RegDOX powered audit look like?
For Oxebridge, we host the RegDOX portal through an annual subscription. For most clients, they only need RegDOX a few days out of the year, so buying an annual subscription doesn’t make sense. (Your CB, on the other hand, should invest in this ASAP.) So clients use our portal, and only pay about $100 per audit day.
Prior to the remote audit, we set up a “dataroom” in the RegDOX system that will be used during the audit. To the client, the dataroom is simply a webpage they open in their normal web browser (Chrome is preferred since Edge is currently buggy with RegDOX.) A few days prior, we then send email invitations to the client’s representatives, inviting them to join the dataroom.
On the audit day, the clients’ representatives log into the RegDOX portal via their browser. At the same time, we arrange a standard audio phone call or web conference through some other method; if it’s expected the verbal information exchanged will be secure, we use Signal. Otherwise, we just use a telephone. Old school.
As we interview the client, we ask them to show evidence. In real time, they upload a document into the RegDOX portal, as they would on any other website. Behind the scenes, however, is where the magic happens.
Uploaded documents of any format — text documents, spreadsheets, PDFs, etc. — are all quickly converted to an image format. The image is watermarked with the recipient’s information, meaning — in our case — the Oxebridge auditor. Then, it pops up on our end as an image that cannot be edited. The RegDOX controls then prohibit anyone from printing, saving, downloading, screenshotting or doing anything with the document. Even right-click is disabled. You can zoom and navigate the resulting image, but that’s it.
Many remote auditors are relying on blurry, shaky video to replace the experience of walking the shop floor. Oxebridge defers to its photomapping method instead, since live video: (a) is terrible, (b) intimidates your workers, and (c) can accidentally reveal ITAR information and result in a felony leak of data. With the photomap method, the images are uploaded and reviewed in the RegDOX portal, so no controlled unclassified information escapes.
Once the audit is complete, the client “destroys” the dataroom, and any shared information is permanently wiped. No one can retrieve it… not Oxebridge, not the RegDOX company, no one.
All of this results in a much faster and more secure audit. It removes the ability of auditors to retain your confidential data on their clunky laptops, which may or may not have any security controls installed. Every time an auditor leaves his or her laptop in the hotel room during their trip to the lobby bar, your information is at risk. But if they don’t ever get it, they can never leak it.
So while I’ve focused on how Oxebridge performs audits with RegDOX, it’s not limited to remote audits conducted by us. We can offer access to our RegDOX platform during your third-party ISO 9001 or AS9100 audit as well. In that case, we send invites to you, and then you send additional invites to your CB auditor. Then you share your information with the CB through RegDOX during the audit days, without having to pay an annual subscription for 360+ days you will never use.
If you’re interested in using our RegDOX platform for your internal audits, or your third-party CB audits, contact me.
About Christopher Paris
Christopher Paris is the founder and VP Operations of Oxebridge. He has over 30 years' experience implementing ISO 9001 and AS9100 systems, and is a vocal advocate for the development and use of standards from the point of view of actual users. He is the author of Surviving ISO 9001:2015. He reviews wines for the irreverent wine blog, Winepisser.